VCS packages should be locked with their exact commit

[OrangeDog]

Not sure how hard this is, but it would fill a current hole in the locking mechanism.

All of these Pipfile entries are locked as-is:

package = {git = "ssh://[email protected]/user/repo.git"}
package = {ref="master", git = "ssh://[email protected]/user/repo.git"}
package = {ref="v1.0", git = "ssh://[email protected]/user/repo.git"}
package = {ref="dd9e921", git = "ssh://[email protected]/user/repo.git"}

"package": {
    "git": "ssh://[email protected]/user/repo.git",
    "ref": "master"
}

Instead, to ensure the target is actually fixed, the ref should be resolved to its current target when locking.

"package": {
    "git": "ssh://[email protected]/user/repo.git",
    "ref": "dd9e921f0fa31c50ffb7bff91c5c9c6d552f1b3a",
    "version": "==1.0.2"
}

The hashes can then also be included.

[techalchemy]

Seems right to me. I was just working on this on my flight and basically just need to grab pips implementation for updating. This will relate to #1690 whenever I get it done.

[OrangeDog]

It also doesn't lock things installed via dependency_links (though they are deprecated, there is no alternative solution that I know of).

Edit
Actually, nothing listed in a VCS setup.py's install_requires is locked, even though it is installed.
@techalchemy shall I make a separate issue for that?

[techalchemy]

@OrangeDog I was actually just looking at that, no need for a separate issue. I have like 80% of a solution. Locking the actual refs is working but you can see the WIP branch here: ea6f02d

[OrangeDog]

@techalchemy I just tested 2018.6.25 and it still doesn't appear to lock the install_requires of VCS packages (though they are still installed). You want that separate issue now?